1.2.1 Execute Specific Trampoline

Here a value 0x82ee874 is pushed on to the stack and control
unconditionally transfers to another target 0xb7c45028.

The value being pushed is pointer to method descriptor for
System.Console.WriteLine. It is of type MonoMethod *. (Note: The
value being pushed is specific to the method invoked at the call
site. This explains why the trampoline is a ‘specific’ one.)

The jump target is to another runtime generated code. Let’s call
this code Generic Jit Trampoline.

1.2.2 Execute Generic Jit Trampoline

At the point of entry to this trampoline the stack state is as
pictured below

1.2.2.1.2 Patch ‘The Call Site’

Patch the Call Site in Main. With this the call to Specific
Trampoline at offset Main + 0x10 is replaced with a call to
WriteLine method.

At this point in time, the Main method is compiled wholly to
it’s native form and all references to trampoline call is
removed. (Theoretically) all future invocations of the method
directly land up in WriteLine method.

1.2.2.1.3 Return a pointer to the compiled method

The control now returns to the Specific Jit Trampoline. The
pointer to WriteLine method is returned in eax register.

1.2.2.2 Post processing with Magic Trampoline’s return value

The key action happens at offset 0x58 in Specific Jit Trampoline.

Here the register eax points to the native version of
Console.WriteLine. This is written in to the stack where the
‘Return IP’ is stored.

The net effect is that When Specific Jit Trampoline executes th e
‘ret’ instruction the control is transferred to the WriteLine
method. Furthermore, the state of the stack at this invocation of
WriteLine is exactly as though no magic ever happened.